PHPackages edenspiekermann/craft-jwt-auth - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. edenspiekermann/craft-jwt-auth ActiveCraft-plugin[Authentication & Authorization](/categories/authentication) edenspiekermann/craft-jwt-auth ============================== Enable authentication to Craft through the use of JSON Web Tokens (JWT) 0.2.0(6y ago)55.1k15[3 issues](https://github.com/edenspiekermann/craft-jwt-auth/issues)[2 PRs](https://github.com/edenspiekermann/craft-jwt-auth/pulls)MITPHP Since Oct 4Pushed 3y ago4 watchersCompare [ Source](https://github.com/edenspiekermann/craft-jwt-auth)[ Packagist](https://packagist.org/packages/edenspiekermann/craft-jwt-auth)[ RSS](/packages/edenspiekermann-craft-jwt-auth/feed)WikiDiscussions develop Synced today READMEChangelog (4)Dependencies (2)Versions (8)Used By (0) Craft JWT Auth plugin ===================== [](#craft-jwt-auth-plugin) Enable authentication to Craft through the use of [JSON Web Tokens](https://jwt.io/) (JWT). [![Screenshot](resources/img/plugin-logo.png)](resources/img/plugin-logo.png) Requirements ------------ [](#requirements) This plugin requires Craft CMS 3.3 or later. Installation ------------ [](#installation) To install the plugin, follow these instructions. 1. Open your terminal and go to your Craft project: cd /path/to/project 2. Then tell Composer to load the plugin: composer require edenspiekermann/craft-jwt-auth 3. In the Control Panel, go to Settings → Plugins and click the “Install” button for Craft JWT Auth. Craft JWT Auth Overview ----------------------- [](#craft-jwt-auth-overview) From the [official website](https://jwt.io/): ``` JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties. ``` This plugin enables requests to Craft to be securely authenticated in the presence of a JWT that can be successfully verified as matching a secret key generated signature. Configuring Craft JWT Auth -------------------------- [](#configuring-craft-jwt-auth) Once installed, naviate to the settings page of the plugin and enter required settings to activate the plugin: SettingDescription`Secret key`Mandatory. Secret key used to sign outgoing and verify incoming JWTs.`Auto create user`Optional. Activate to enable auto-creation of a public user when provided a verifiable JWT.Using Craft JWT Auth -------------------- [](#using-craft-jwt-auth) The plugin will attempt to verify any incoming requests with a JWT present in the `Authentication` header with a `Bearer` prefix, or with the simpler `X-Access-Token` header value. An example: ``` # With Authorization: Bearer curl --header "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.XbPfbIHMI6arZ3Y922BhjWgQzWXcXNrz0ogtVhfEd2o" MYCRAFTSITE.com # With X-Access-Token curl --header "X-Access-Token: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.XbPfbIHMI6arZ3Y922BhjWgQzWXcXNrz0ogtVhfEd2o" MYCRAFTSITE.com ``` The plugin will attempt to verify the token using the [lcobucci/jwt](https://github.com/lcobucci/jwt) package for PHP. The package adheres to the [IANA specifications](https://www.iana.org/assignments/jwt/jwt.xhtml) for JWTs. If a provided token can be verified AND can be match to a user account with a username matching the provided `sub` key, the user will be authenticated and the request allowed to continue. If the token is verifiable but a matching user account does NOT exist, but the `Auto create user` setting is enabled AND public registration is enabled in the Craft settings, a new user account will be created on-the-fly and the new user then logged in. Craft JWT Auth Roadmap ---------------------- [](#craft-jwt-auth-roadmap) ### Features [](#features) The plugin does or will offer the following features: - Validate incoming requests with a JWT present in the Authentication headers. - Match a validated JWT to a user account in Craft CMS and login as that user. - Optionally create a new account if no existing account can be found. - Generate a JWT from a user’s account data to enable sharing with other services that implement the same secret key. ### Milestones [](#milestones) While the plugin is already useable, it is by no means finished. Use at your own risk. Some things to do before I'm comfortable taking it to version 1.0.0: - `0.2.0` Refactor into more logical set of services and classes. - `0.3.0` Better testing for the presence of an actual JWT, rather than some other type of token. - `0.3.1` Checking for the presence of valid claims and handling if they aren't there. - `0.3.2` Handle edge case of successful user creation but failed image creation. - `0.3.3` Better exception handling in general. - `0.4.0` Add test cases for all of that. - Have really smart people review the code for vulnerabilities. - Other stuff I haven't though of because I haven't done 👆 yet. Written and maintained by [Mike Pierce](https://michaelpierce.trade). Made possible by [Edenspiekermann](https://edenspiekermann.com). ### Health Score 27 — LowBetter than 49% of packages Maintenance8 Infrequent updates — may be unmaintained Popularity26 Limited adoption so far Community10 Small or concentrated contributor base Maturity53 Maturing project, gaining track record How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~0 days Total 4 Last Release 2409d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/c8c2afa649f0b667a0c6a2cbb6c5adfbe4c7d9ca79993247316536b544ae6391?d=identicon)[monachilada](/maintainers/monachilada) --- Tags craft-cmscraft-plugincraft3craftcmsjwtjwt-authenticationphpcmsCraftcraftcmscraft-plugincraft jwt ### Embed Badge ![Health badge](/badges/edenspiekermann-craft-jwt-auth/health.svg) ``` [![Health](https://phpackages.com/badges/edenspiekermann-craft-jwt-auth/health.svg)](https://phpackages.com/packages/edenspiekermann-craft-jwt-auth) ``` ### Alternatives [jamesedmonston/graphql-authentication GraphQL authentication for your headless Craft CMS applications. 2917.0k](/packages/jamesedmonston-graphql-authentication)[verbb/knock-knock Password protect your public facing Craft website with a single password. 17122.8k7](/packages/verbb-knock-knock)[matt-west/craft-recaptcha Integrate Google’s reCAPTCHA into your forms. 1959.9k1](/packages/matt-west-craft-recaptcha)[thejoshsmith/craft-fab-permissions Give yourself better control over your sections with Craft Field and Tab (FAB) Permissions. Restrict which tabs and fields are visible to different user groups. 1611.5k](/packages/thejoshsmith-craft-fab-permissions) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)